search for: get_afs_token

...change would replace the calls to kafs. OpenAFS could then distribute the dynamic library, that would get a PAG and fork/exec some program like aklog, or afslog to actually get the token. The aklog or afslog could be distributed by OpenAFS or some Kerberos vendor. The routine loaded is the get_afs_token routine that I proposed last week but without the -setpag "kernel hack". It would have setpag code added to it instead and this runs in the current process avoiding the need to set the PAG in the parent process. The following compiles but I have not tested it. I am looking for comment...

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

...hctxt); +void session_krb5_use_ccache(Authctxt *authctxt); #endif /* KRB5 */ #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) --- orig/session.c +++ mod/session.c @@ -1462,20 +1462,22 @@ * home directory is in AFS and it's not world-readable. */ - if (options.kerberos_get_afs_token && k_hasafs() && - (s->authctxt->krb5_ctx != NULL)) { - char cell[64]; + if (options.kerberos_get_afs_token && k_hasafs()) { + session_krb5_use_ccache(s->authctxt); + if (s->authctxt->krb5_ctx != NULL) { + char cell[64]; - debug("Getting AFS...